Postfix Built-in Content Inspection
Built-in content inspection introduction
Postfix supports a built-in filter mechanism that examines
message header and message body content, one line at a time, before
it is stored in the Postfix queue. The filter is usually implemented
with POSIX or PCRE regular expressions, as described in the
header_checks(5) manual page.
The original purpose of the built-in filter is to stop an
outbreak of specific email worms or viruses, and it does this job
well. The filter has also helped to block bounced junk email,
bounced email from worms or viruses, and notifications from virus
detection systems. Information about this secondary application
is given in the
BACKSCATTER_README document.
Because the built-in filter is optimized for stopping specific
worms and virus outbreaks, it has
limitations
that make it NOT suitable for general junk email and virus detection.
For that, you should use one of the external content inspection
methods that are described in the
FILTER_README and
SMTPD_PROXY_README
documents.
The following diagram gives an over-all picture of how Postfix
built-in content inspection works:
| Postmaster notifications |
| | v |
Network or local users |
-> |
Built-in filter |
-> |
Postfix queue |
-> |
Delivery agents |
-> |
Network or local mailbox |
| ^ | |
| | v |
| Undeliverable mail Forwarded mail |
The picture makes clear that the filter works while Postfix is
receiving new mail. This means that Postfix can reject mail from
the network without having to return undeliverable mail to the
originator address (which is often spoofed anyway). However, this
ability comes at a price: if mail inspection takes too much time,
then the remote client will time out, and the client may send the
same message repeatedly.
Topics covered by this document: